{"id":"MGASA-2025-0039","summary":"Updated python-django packages fix security vulnerabilities","details":"An issue was discovered in Django 4.2 before 4.2.14 and 5.0 before\n5.0.7. urlize and urlizetrunc were subject to a potential denial of\nservice attack via certain inputs with a very large number of brackets.\n(CVE-2024-38875)\nAn issue was discovered in Django 5.0 before 5.0.7 and 4.2 before\n4.2.14. The django.contrib.auth.backends.ModelBackend.authenticate()\nmethod allows remote attackers to enumerate users via a timing attack\ninvolving login requests for users with an unusable password.\n(CVE-2024-39329)\nAn issue was discovered in Django 5.0 before 5.0.7 and 4.2 before\n4.2.14. Derived classes of the django.core.files.storage.Storage base\nclass, when they override generate_filename() without replicating the\nfile-path validations from the parent class, potentially allow directory\ntraversal via certain inputs during a save() call. (CVE-2024-39330)\nAn issue was discovered in Django 5.0 before 5.0.7 and 4.2 before\n4.2.14. get_supported_language_variant() was subject to a potential\ndenial-of-service attack when used with very long strings containing\nspecific characters. (CVE-2024-39614)\nAn issue was discovered in Django 5.0 before 5.0.8 and 4.2 before\n4.2.15. The floatformat template filter is subject to significant memory\nconsumption when given a string representation of a number in scientific\nnotation with a large exponent. (CVE-2024-41989)\nAn issue was discovered in Django 5.0 before 5.0.8 and 4.2 before\n4.2.15. The urlize() and urlizetrunc() template filters are subject to a\npotential denial-of-service attack via very large inputs with a specific\nsequence of characters. (CVE-2024-41990)\nAn issue was discovered in Django 5.0 before 5.0.8 and 4.2 before\n4.2.15. The urlize and urlizetrunc template filters, and the\nAdminURLFieldWidget widget, are subject to a potential denial-of-service\nattack via certain inputs with a very large number of Unicode\ncharacters. (CVE-2024-41991)\nAn issue was discovered in Django 5.0 before 5.0.8 and 4.2 before\n4.2.15. QuerySet.values() and values_list() methods on models with a\nJSONField are subject to SQL injection in column aliases via a crafted\nJSON object key as a passed *arg. (CVE-2024-42005)\nAn issue was discovered in Django 5.1 before 5.1.1, 5.0 before 5.0.9,\nand 4.2 before 4.2.16. The urlize() and urlizetrunc() template filters\nare subject to a potential denial-of-service attack via very large\ninputs with a specific sequence of characters. (CVE-2024-45230)\nAn issue was discovered in Django v5.1.1, v5.0.9, and v4.2.16. The\ndjango.contrib.auth.forms.PasswordResetForm class, when used in a view\nimplementing password reset flows, allows remote attackers to enumerate\nuser e-mail addresses by sending password reset requests and observing\nthe outcome (only when e-mail sending is consistently failing).\n(CVE-2024-45231)\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10,\nand 4.2 before 4.2.17. The strip_tags() method and striptags template\nfilter are subject to a potential denial-of-service attack via certain\ninputs containing large sequences of nested incomplete HTML entities.\n(CVE-2024-53907)\nAn issue was discovered in Django 5.1 before 5.1.4, 5.0 before 5.0.10,\nand 4.2 before 4.2.17. Direct usage of the\ndjango.db.models.fields.json.HasKey lookup, when an Oracle database is\nused, is subject to SQL injection if untrusted data is used as an lhs\nvalue. (CVE-2024-53908)\nAn issue was discovered in Django 5.1 before 5.1.5, 5.0 before 5.0.11,\nand 4.2 before 4.2.18. Lack of upper-bound limit enforcement in strings\npassed when performing IPv6 validation could lead to a potential\ndenial-of-service attack. The undocumented and private functions\nclean_ipv6_address and is_valid_ipv6_address are vulnerable, as is the\ndjango.forms.GenericIPAddressField form field. (CVE-2024-56374)\n","modified":"2026-01-30T07:38:08.632422Z","published":"2025-02-05T19:51:21Z","related":["CVE-2024-38875","CVE-2024-39329","CVE-2024-39330","CVE-2024-39614","CVE-2024-41989","CVE-2024-41990","CVE-2024-41991","CVE-2024-42005","CVE-2024-45230","CVE-2024-45231","CVE-2024-53907","CVE-2024-53908","CVE-2024-56374"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0039.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33919"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33387"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=33507"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2024/07/09/3"},{"type":"REPORT","url":"https://www.djangoproject.com/weblog/2024/jul/09/security-releases/"},{"type":"REPORT","url":"https://openwall.com/lists/oss-security/2024/08/06/2"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2024/09/03/3"},{"type":"REPORT","url":"https://openwall.com/lists/oss-security/2024/12/04/3"},{"type":"REPORT","url":"https://www.openwall.com/lists/oss-security/2025/01/14/2"},{"type":"REPORT","url":"https://ubuntu.com/security/notices/USN-7205-1"}],"affected":[{"package":{"name":"python-django","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/python-django?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.13-1.2.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0039.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}